Click here to load reader
Click here to load reader
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICESNovember 2013
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13 1 OF 17DRAFT| [SECURITY CLASSIFICATION] | [TELSTRA ID] DOCUMENT.DOCX |
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICES
1. ABOUT THIS GUIDE...........................................................................................................4Your requirements ............................................................................................................................ 4
Our requirements .............................................................................................................................. 4
Keeping your contact details up to date ......................................................................................5
2. POLICY TRANSLATION SERVICES.......................................................................................5The devices we will translate from ...............................................................................................5
What we need from you ..................................................................................................................6
How to extract fi les from devices .................................................................................................6
The devices we will translate to ....................................................................................................7
The export formats we support .....................................................................................................7
Limits on service scope .................................................................................................................. 8
3. POLICY DESIGN SERVICES.................................................................................................9The devices we will design for ......................................................................................................9
What we need from you ................................................................................................................10
The export formats we support ....................................................................................................10
Limits on service scope ................................................................................................................11
4. POLICY AUDIT & OPTIMISATION SERVICES......................................................................11The devices we support ................................................................................................................11
What we need from you ................................................................................................................12
How to extract fi les from devices ...............................................................................................12
The export formats we support ....................................................................................................12
Limits on service scope ................................................................................................................12
5. SERVICE REQUEST CONSULTANCY..................................................................................14The services we provide ...............................................................................................................14
What we need from you ................................................................................................................14
Limits on service scope ................................................................................................................14
6. VULNERABILITY DISCOVERY............................................................................................15The services we provide ...............................................................................................................15
What we need from you ................................................................................................................15
Limits on service scope ................................................................................................................15
1. APPENDIX 1....................................................................................................................16
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13DRAFT| TELSTRA INTERNAL | TELSTRA-ID-SYSTEM GENERATED IF EDMS | PAGE 2/17
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICES1. ABOUT THIS GUIDE
There are a number of terms, conditions, requirements, roles and responsibilities associated with the purchase and use of Telstra’s Security Consulting Services (Services).
The guide outlines both your and our roles and responsibilities regarding the Services.
This guide is divided according to the broad product offerings, Translation, Design and Optimisation and Optional Services. It is a companion document to the Security Consulting Services section of Our Customer Terms, and your Application Form.
Your requirements
You are expected to manage and use your Services according to the requirements outlined in this guide.
If you choose not to follow these requirements, we will not be responsible for any loss or inconvenience experienced if your Service is disrupted, and we may charge you additional fees in order to fix your Service.
You are required to provide us with all applicable information, data, consents, authorisations, decisions and approvals in order to activate service requests. You have to provide these things in the formats we specify (if any).
You are also required to identify when you need assistance from your assigned Telstra account executive and submit the appropriate requests.
Our requirements
We will provide your Service according to the requirements outlined in this guide.
We will provide service support and notify you of any service changes and let you know when a service request has been completed.
We will endeavour to answer questions you raise regarding the solution within agreed timeframes.
REQUIREMENT RESPONSIBILITYTelstra You
Specify the format to collect the information for the Security Consulting service to be purchased
Provide the necessary information for the Security Consulting service in the format specified by Telstra
Provide timely access to suitable personnel to clarify or confirm information as required Specify the available formats for the outputs from the Security Consultancy Service
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13DRAFT| TELSTRA INTERNAL | TELSTRA-ID-SYSTEM GENERATED IF EDMS | PAGE 3/17
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICESKeeping your contact details up to date
From time-to-time we will need to get in contact with you regarding your Service, so it’s important that you keep your organisation’s details up-to-date.
You need to ensure that the following contact details are correct and kept up-to-date:
Commercial contact: the authorised staff member who acts on your business’s behalf regarding all commercial matters associated with your service. Your Telstra account executive may call these contacts the ‘primary contact’ when carrying out functions on your behalf.
Technical contact: the authorised person who answers any technical questions associated with your service on your behalf.
2. POLICY TRANSLATION SERVICESThe devices we will translate from
We will translate the policies on your existing devices into a format you select. The appliances we will support are set out in the table below:
Supported Existing Devices (translate from)
Firewall
Vendor Model(s) Comments
Cisco PIX version 6.x to 8.4
ASA Versions 6.x to 8.4
FWSM
iOS Routers Version 12.0 to 12.14, excluding X* series
Juniper Netscreen
SSG
ISG
Checkpoint SmartCenter NG/NGX
Secure Platform
IPS
Cisco 4200
Juniper All models
Checkpoint All models
Content Security
Firstwave All models Internet Protection Web and
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13DRAFT| TELSTRA INTERNAL | TELSTRA-ID-SYSTEM GENERATED IF EDMS | PAGE 4/17
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICES
Internet Protection Mail
What we need from you
In order to carry out the translation services, we need the following inputs from you. You have to provide them in the time we specify, or if no time is specified, a reasonable time. We may not be able to perform the translation services until you provide us with the requested details.
Firewall IPS Content Security
Accurate extract of existing Firewall policy
Accurate extract of existing IPS policy
Accurate extract of existing Content Security appliance policy
Configuration or policy supplied in the format we specify
Configuration or policy supplied in the format we specify
Configuration or policy supplied in the format specified by us
Existing Firewall vendor and type Existing IPS vendor and type Existing Content Security appliance vendor and type
Proposed Firewall vendor and type if applicable
Proposed IPS vendor and type if applicable
Proposed Content Security appliance vendor and type if applicable
Ready access to your personnel to clarify or confirm information
Ready access to your personnel to clarify or confirm information
Ready access to your personnel to clarify or confirm information
How to extract files from devices
Some of the information we request from you can be extracted from your devices. Appendix 1 includes technical directions to assist you with this process to ensure the information is made available in a usable format.
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13DRAFT| TELSTRA INTERNAL | TELSTRA-ID-SYSTEM GENERATED IF EDMS | PAGE 5/17
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICES
The devices we will translate to
We will translate the policies on your existing devices onto a defined range of devices. The devices we will support are set out in the table below:
Supported Existing Devices (translate from)
Firewall
Vendor Model(s) Comments
Cisco PIX version 6.x to 8.4
ASA Versions 6.x to 8.4
FWSM
iOS Routers Version 12.0 to 12.14, excluding X* series
Juniper Netscreen
SSG
ISG
Checkpoint SmartCenter NG/NGX
Secure Platform
IPS
Cisco 4200
Juniper All models
Checkpoint All models
Content Security
Firstwave All models Internet Protection Web and Internet Protection Mail
The export formats we support
We can provide translation details in specified formats. The formats we currently support are set out below:
1. Example IPOT (Telstra IP Ordering Tool). IPVAS, MDN, IPWAN2. Example MSS Detailing Workbook (Telstra)3. Standard formats (Non Telstra)
a. CSVb. TXTc. XML
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13DRAFT| TELSTRA INTERNAL | TELSTRA-ID-SYSTEM GENERATED IF EDMS | PAGE 6/17
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICESLimits on service scope
Policy translation is usually offered on similar devices for similar environment that have similar traffic requirements. No change in requirements in traffic flow, routing or other relevant change is included.
Policy translation is completed by our Professional Services Consultants and passed to the SSF team for implementation. We can provide a copy of the translated policy upon request. Should you require any change to the policy, this can be addressed via SSF standard change request process.
The second limit relates to unusual requests beyond the usual scope of translation work. We will advise you if a request is outside what we include in our standard service offering.
If you ask us to exceed these limits, additional charges may apply.
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13DRAFT| TELSTRA INTERNAL | TELSTRA-ID-SYSTEM GENERATED IF EDMS | PAGE 7/17
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICES3. POLICY DESIGN SERVICESThe devices we will design for
We will design policies for certain devices. The devices we will support are set out in the table below:
Supported Devices
Firewall
Cisco Security Appliances:PIXASAFWSMASA 8.3
Firstwave
Cisco IOS routers:Version 12.0 to 12.14, excluding X* series
Juniper firewalls:Netscreen, SSG, ISG
Check Point:SmartCenter NG/NGX, Security Management R70 to R75 running on any platform, including:
SecurePlatformCheck Point IPSO (formerly Nokia)CrossbeamLinuxSolarisWindows
Intrusion Prevention System
Cisco IPS Appliances:Cisco IPS 4200 SeriesJuniper
Content Security
FirstwaveCiscoPalo Alto
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13DRAFT| TELSTRA INTERNAL | TELSTRA-ID-SYSTEM GENERATED IF EDMS | PAGE 8/17
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICES
What we need from you
In order to carry out the policy design services, we need the following inputs from you. You have to provide them in the timeframe we specify, or if no time is specified, a reasonable time. We may not be able to perform the policy design services until you provide us with the requested details.
Firewall IPS Other Content Security
Accurate extract of existing Firewall policy
Accurate extract of existing IPS policy
Your Regulatory Requirements (eg PCI, ISO27001, ISM, etc)
Accurate extract of existing Content Security appliance policy
Configuration or policy supplied in the format we specify
Configuration or policy supplied in the format we specify
Your Business Requirements
Configuration or policy supplied in the format specified by us
Existing Firewall vendor and type
Existing IPS vendor and type
Your Traffic flow requirements
Existing Content Security appliance vendor and type
Proposed Firewall vendor and type if applicable
Proposed IPS vendor and type if applicable
Your Network architecture diagrams
Proposed Content Security appliance vendor and type if applicable
Ready access to your personnel to clarify or confirm information
Ready access to your personnel to clarify or confirm information
Any other relevant information
Ready access to your personnel to clarify or confirm information
The export formats we support
We can provide policy design details in specified formats. The formats we currently support are set out below:
4. Example IPOT (Telstra IP Ordering Tool). IPVAS, MDN, IPWAN5. Example MSS Detailing Workbook (Telstra)6. Standard formats (Non Telstra)
d. CSVe. TXTf. XML
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13DRAFT| TELSTRA INTERNAL | TELSTRA-ID-SYSTEM GENERATED IF EDMS | PAGE 9/17
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICESLimits on service scope
It is not possible to anticipate every service architecture and device setting. Accordingly, our service is subject to reasonable limits.
You will be limited to two changes within the scope of the initial engagement. However if any changes result in any or all of the requirements falling outside the initial scope Telstra reserves the right to review the fixed rate charge or convert the engagement into a customised solution.
The second limit on this solution relates to unusual requests beyond the usual scope of policy design work. We will advise you if a request is outside what we include in our standard service offering.
If you ask us to exceed these limits, additional charges may apply.
4. POLICY AUDIT & OPTIMISATION SERVICESThe devices we support
We will optimise the policies on your existing devices into a format suitable for management by SSF. The devices we will support are set out in the table below:
Supported Devices
Firewall
Cisco Security Appliances: PIX - ASA version 6.X to 8.4Cisco FWSMFirstwaveCheckpoint Security Gateway
Cisco IOS routers:Version 12.0 to 12.14, excluding X series
Juniper firewalls:Netscreen, SSG, ISG
Check Point:SmartCenter NG/NGX, Security Management R70 to R75 running on any platform, including:
SecurePlatformCheck Point IPSO (formerly Nokia)CrossbeamLinuxSolarisWindows
Intrusion Prevention System
Cisco IPS Appliances:Cisco IPS 4200 Series
Content Security
Firstwave (Internet Protection Web and Internet Protection Mail)
Palo Alto
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13DRAFT| TELSTRA INTERNAL | TELSTRA-ID-SYSTEM GENERATED IF EDMS | PAGE 10/17
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICES
What we need from you
In order to carry out the optimisation services, we need the following inputs from you. You have to provide them in the time we specify, or if no time is specified, a reasonable time. We may not be able to perform the optimisation services until you provide us with the requested details.
Firewall IPS Content Security Other
Accurate extract of existing Firewall policy
Accurate extract of existing IPS policy
Accurate extract of existing Content Security appliance policy
Your regulatory requirements (PCI, ISO27001, ISM, etc.)
Configuration or policy supplied in the format we specify
Configuration or policy supplied in the format we specify
Configuration or policy supplied in the format we specify
Your business requirements
Existing Firewall vendor and type
Existing IPS vendor and type
Existing Content Security appliance vendor and type
Your traffic flow requirements
Proposed Firewall vendor and type if applicable
Proposed IPS vendor and type if applicable
Proposed Content Security appliance vendor and type if applicable
Your network architecture diagrams
Ready access to your personnel to clarify or confirm information
Ready access to your personnel to clarify or confirm information
Ready access to your personnel to clarify or confirm information
Any other relevant information
How to extract files from devices
Some of the information we request from you can be extracted from your devices. The table in Appendix 1 sets out the instructions for common data-extraction tasks.
The export formats we support
We can provide policy optimisation details in specified formats. The formats we currently support are set out below:
7. Example IPOT (Telstra IP Ordering Tool). IPVAS, MDN, IPWAN8. Example MSS Detailing Workbook (Telstra)9. Standard formats (Non Telstra)
g. CSVh. TXTi. XML
Limits on service scope
It is not possible to anticipate every service architecture and device setting. Accordingly, our service is
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13DRAFT| TELSTRA INTERNAL | TELSTRA-ID-SYSTEM GENERATED IF EDMS | PAGE 11/17
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICESsubject to reasonable limits.
You will be limited to two changes within the scope of the initial engagement. However if any changes result in any or all of the requirements falling outside the initial scope Telstra reserves the right to review the fixed rate charge or convert the engagement into a customised solution.
The second limit on this solution relates to unusual requests beyond the usual scope of policy design work. We will advise you if a request is outside what we include in our standard service offering.
If you ask us to exceed these limits, additional charges may apply.
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13DRAFT| TELSTRA INTERNAL | TELSTRA-ID-SYSTEM GENERATED IF EDMS | PAGE 12/17
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICES5. OPTIONAL SERVICES (INCLUDING SERVICE REQUEST CON-
SULTANCY) The services we provide
You can ask us to provide services outside the scope of our standard security consulting service packages. For instance, we will review and where necessary optimise any requests you submit for professional services covered under the Optional Services. Once this process has been completed we will submit and manage the completion of these requests on your behalf.
What we need from you
In order to carry out the Optional Services, we need the following inputs from you. You have to provide them and any additional information we request in the time we specify, or if no time is specified, a reasonable time. We may not be able to perform the service request service until you provide us with the requested information.
All device related information supplied in the agreed format
Clear instructions regarding the work required
Any specific requirements regarding timeframes or access requirements
Access to your personnel or authorised representatives to clarify or confirm any of the supplied information
Limits on service scope
For all Optional Services we will agree a service scope with you. Any work outside that agreed scope will incur additional charges.
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13DRAFT| TELSTRA INTERNAL | TELSTRA-ID-SYSTEM GENERATED IF EDMS | PAGE 13/17
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICES
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13DRAFT| TELSTRA INTERNAL | TELSTRA-ID-SYSTEM GENERATED IF EDMS | PAGE 14/17
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICES1. Appendix 1 The following table sets out suggested ways of extracting relevant information from your devices. You are responsible for all activities you undertake with your devices and we exclude all liability for steps you take in reliance on this information.
Firewalls
Cisco PIX/ASA Firewalls
1. Connect to the device using SSH or telnet.2. Enter the command enable and provide the enable password.3. If you are connecting to a PIX firewall running version 6.x, enter the command no pager.4. If you are connecting to an ASA firewall or a PIX firewall running 7.x or higher, enter the command
terminal pager 0.5. Enter the command show run and capture the output to a file called config.txt.6. Enter the command show route and capture the output to a file called route.txt.7. Send the above files (config.txt and route.txt) as an encrypted zip file to your Telstra Security Consultant.
Cisco IOS Routers
1. Connect to the IOS device using SSH or telnet.2. Enter the command enable and provide the enable password.3. Enter the command terminal length 0.4. Enter the command show run and capture the output to a file called config.txt.5. Enter the command terminal ip netmask-format bit-count.6. Enter the command show ip route and capture the output to a file called route.txt.7. Enter the command show ip route vrf [vrfName], where [vrfName] is the name of the router’s VPN
routing/forwarding instance.8. Capture the output to a file called vrf-routes.txt.9. Send the above files (config.txt, route.txt and vrf-routes.txt) as an encrypted zip file to your Telstra Security
Consultant.
Cisco PIX/ASA Security Context
There are two options when connecting to security contexts on PIX/ASA devices: connecting as a device administrator, and connecting as a context administrator. If you connect as a context administrator, you will not be able to access system space or administrator contexts. We recommend connecting as a device administrator when possible.
To connect as the device administrator:3. Connect to the device using SSH or telnet.4. Enter the command enable and provide the enable password.5. Enter the command changeto context [contextName], where [contextName] is the name of the security
context.6. Enter the command terminal pager 0.7. Enter the command show run and capture the output to a file called config.txt.8. Enter the command show route and capture the output to a file called route.txt.9. Send the above files (config.txt and route.txt) as an encrypted zip file to your Telstra Security Consultant.
To connect as the context administrator:1. Connect to the security context on the PIX/ASA device using SSH or telnet.
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13DRAFT| TELSTRA INTERNAL | TELSTRA-ID-SYSTEM GENERATED IF EDMS | PAGE 15/17
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICES
2. Enter the command enable and provide the enable password.3. Enter the command terminal length 0.4. Enter the command show run and capture the output to a file called config.txt.5. Enter the command show route and capture the output to a file called route.txt.6. Send the above files (config.txt and route.txt) as an encrypted zip file to your Telstra Security Consultant.
Cisco FWSM
The procedure to get configs from FWSM on Cisco devices differs depending on what OS the device is running.
To get configs from FWSM on Cisco devices running IOS:1. Connect to the supervisor modules of the device using ssh or telnet.2. Enter the command enable and provide the enable password.3. Enter the command session slot [moduleNumber] processor [processorNumber], where [moduleNumber]
is the slot number for the FWSM module, and [processorNumber] is its processor number.Note: If you do not know the module number, run the supervisor command show modules to find it. The value for processorNumber is 1 in most cases, but can range from 0 to 9.
4. Enter the password to start the FWSM session.5. Enter the command enable and provide the enable password.6. If you are connecting to a device running an FWSM version below 3.1.x, enter the command no
pager.7. If you are connecting to a device running FWSM version 3.1.x or higher, enter the command terminal
pager 0.8. Enter the command show run and capture the output to a file called config.txt.9. Enter the command show route and capture the output to a file called route.txt.10. Send the above files (config.txt and route.txt) as an encrypted zip file to your Telstra Security Consultant.
To get configs from FWSM on Cisco devices running CatOS:1. Connect to the supervisor modules of the device using ssh or telnet.2. Enter the command enable and provide the enable password.3. Enter the command session [moduleNumber], where [moduleNumber] is the slot number for the FWSM
module.Note: If you do not know the module number, run the supervisor command show modules to find it.
4. Enter the password to start the FWSM session.5. Enter the command enable and provide the enable password.6. If you are connecting to a device running an FWSM version below 3.1.x, enter the command no
pager.7. If you are connecting to a device running FWSM version 3.1.x or higher, enter the command terminal
pager 0.8. Enter the command show run and capture the output to a file called config.txt.9. Enter the command show route and capture the output to a file called route.txt.10. Send the above files (config.txt and route.txt) as an encrypted zip file to your Telstra Security Consultant.
Juniper NetScreen Firewall
There are two options when connecting to Juniper NetScreen devices: connecting to a physical device, and connecting to a virtual system.
To get configs from a physical Juniper NetScreen firewall device:1. Connect to the NetScreen device using SSH or telnet.2. Enter the command set console page 0.3. Enter the command get config and capture the output to a file called config.txt.4. Enter the command get route and capture the output to a file called route.txt.
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13DRAFT| TELSTRA INTERNAL | TELSTRA-ID-SYSTEM GENERATED IF EDMS | PAGE 16/17
RESPONSIBILITIES GUIDESECURITY CONSULTING SERVICES
5. Enter the command get service and capture the output to a file called service.txt.6. Send the above files (config.txt, route.txt and service.txt) as an encrypted zip file to your Telstra Security
Consultant.
To get configs from a virtual Juniper NetScreen firewall system:1. Connect to virtual system:
a. Use the system management IP address to connect over SSH or Telnet, or in the HyperTerminal command-line interface.
b. Enter the user name for the administrative user.c. Enter the password for the administrative user.
2. Enter the command set console page 0.3. Enter the command get config and capture the output to a file called config.txt.4. Enter the command get route and capture the output to a file called route.txt.5. Enter the command get service and capture the output to a file called service.txt.6. Send the above files (config.txt, route.txt and service.txt) as an encrypted zip file to your Telstra Security
Consultant.
Check Point Firewalls
1. Enter Expert Mode.2. Copy the configuration files from the remote Check Point management server to the local FSM server:
a. Connect to the Check Point SmartCenter server using SSH or Telnet.Note: This is not the Smart Dashboard client GUI. Connect to the server directly.
b. Find the directory on the server where the Check Point management server software is installed. This may be defined by the $FWDIR environment variable.
c. Copy the file $FWDIR/conf/objects_5_0.C to your local file system.Note: There is also a file called objects.C. This is not the correct file.
d. Copy the file $FWDIR/conf/rulebases_5_0.fws to your local file system.3. Extract the routing table with the cpstat command:
a. Connect to the Check Point management console.b. If you are connecting to a Provider1 system, connect to the Customer Management Add-on
(CMA) that manages the firewall.c. Enter cpstat os -f routing -h [ipAddress] > route.txt, where [ipAddress] is the IP address of the
firewall module.Note: If this command is not available, use the procedure at the end of this section to manually obtain the routing table from the device.
4. Send the above files (objects_5_0.C, rulebases_5_0.fws and route.txt) as an encrypted zip file to your Telstra Security Consultant.
To manually obtain the routing table from a Check Point device:1. Connect to the device using SSH or Telnet.2. Run one of the following commands, depending on the host platform:
o SecurePlatform: netstat -rno Check Point IPSO Appliance: show routeo Nokia IPSO: netstat -rno Linux: netstat -rno Solaris: netstat -rno Crossbeam UTM: netstat -rn
3. Copy the output from the command to a text file called route.txt.
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 29/11/13DRAFT| TELSTRA INTERNAL | TELSTRA-ID-SYSTEM GENERATED IF EDMS | PAGE 17/17